“Use a tenant-specific endpoint or configure the application to be multi-tenant” when signing into my Azure website

49
votes

I'm getting this error after I sign into my Azure website:

AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

4
azureazure-active-directoryazure-web-app-service
you might want to elaborate on the kind of application / flow you were usingJean-Marc Prieur
you should accept Coruscate5 answer. You should never use multitenant AAD registration app if you do not need to.zolty13
@zolty13 good point.DharmaTurtle
@zolty13, I don't know how you came to this conclusion with such little information. There is nothing wrong with multi-tenant applications if you expect users to get sign-in from different tenants. A public app is a good example.sy-huss
@sy-huss DharmaTurtle has not written about Multitenant AAD, so for me it is obvious that he do not need multitenant app. Enabling multienant causes side effects. Changing endpoint is enought to solve the problem. Probably Dharma used wrong endpoint which was proposed in some kind of tutorial or article. I have done the same mistakezolty13

4 Answers

51
votes

If you are an Azure administrator getting this message, it may be for the the exact reason that is listed in the error message - you can not use the common API endpoint to MSFT logins to tenant-specific applications.

In my case, I was configuring an app registration with sample code - the sample code needed to be modified with a new endpoint. I.e the following line:

let kAuthority = "https://login.microsoftonline.com/common"

needed to be changed to:

let kAuthority = "https://login.microsoftonline.com/MY_TENANT_NAME"

The tenant name for your Azure organization can be obtained by typing "Tenant Status" into the Azure search bar.

Xamarin: The above note worked for MSAL iOS - for Xamarin MSAL Android/iOS, there was no direct way to set the authority in the main call. It needs to be chained to the interactive login call.

E.g., the sample code here: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();

Needs to be changed to this: 

authResult = await App.PCA.AcquireTokenInteractive(App.Scopes)
                      .WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME")
                      .WithParentActivityOrWindow(App.ParentWindow)
                      .ExecuteAsync();
20
votes

It turns out that my account was not actually on Azure AD, so I needed to check "Accounts in any organizational directory" under "Supported account types" on portal.azure.com

Specifically: portal.azure.com > Azure Active Directory > App registrations (preview) > Your App > Authentication > Supported account types > Accounts in any organizational directory

9
votes

Enable multi-tenant using the below option in azure.

portal.azure.com -> Azure Active Directory -> App registrations -> Select Your App -> Authentication -> Supported account types -> Accounts in any organizational directory (Any Azure AD directory - Multitenant)

this should be enabled when you want to allow public users.

enter image description here

If you are want to authorize the user into organization level(Private Users). Use the below option.

let authUrl = "https://login.microsoftonline.com/common"

change like below:

let authUrl= "https://login.microsoftonline.com/MY_TENANT_NAME"
1
votes

Further more to @Coruscate5's post, which has helped me, you can set WithAuthority for iOS as follows.

var builder = PublicClientApplicationBuilder.Create(OAuthSettings.ApplicationId)**.WithAuthority("https://login.microsoftonline.com/YOUR_TENANT_NAME");**

This is important if you were following the Build Xamarin apps with Microsoft Graph guide and you aren't authenticating to a multi-tenant application.

This is how you get your tenant name:

https://docs.microsoft.com/en-us/onedrive/find-your-office-365-tenant-id